Preparing for Mobile Device Management

Over the next few days, I’ll be writing a series of blog posts about mobile device management (MDM). Microsoft’s focus is on providing best-in-class mobile and cloud services.

Today, everyone has a mobile device, whether it’s a tablet, convertible, laptop, or smartphone. Users are never out of touch with one another and their information. But how can we manage devices that are never in one place for long? Well, because mobile devices mostly use cloud services, the best way to manage these devices is through a cloud service.

Enter Microsoft System Center 2012 R2 Configuration Manager and Windows Intune. These products provide user-centric management for devices that are mobile or at your offices. Over the next few posts, I’ll be focusing on how to use System Center 2012 R2 Configuration Manager and Windows Intune to manage your mobile devices and reduce the level of effort (and worry) you spend doing so.

Watch this video to see Microsoft mobile device management in action.

Now that we’ve seen how Microsoft mobile device management works, let’s talk more about the products that are used and how they work together.

Microsoft mobile device management products

I’ll start off by talking about the products in a Microsoft MDM solution: Microsoft System Center 2012 R2 Configuration Manager and Windows Intune. Why do you need both products? The short answer is that you don’t. For example, many organizations are using System Center 2012 R2 Configuration Manager and Microsoft Exchange Server to manage their mobile devices through Microsoft Exchange ActiveSync. Other organizations use only Windows Intune to manage their on-premises and mobile devices.

So, why use both System Center 2012 R2 Configuration Manager and Windows Intune? To be able to manage all of your devices and users in one place. When you integrate these two products, you can manage users and devices regardless of whether they are in your office or out in the field, and you can do so from one management console: the Configuration Manager console. This integration allows you to manage all phases of the device life cycle, too, from device enrollment through device retirement and all phases in between.

In fact, when you enable System Center 2012 R2 Configuration Manager and Windows Intune integration, Windows Intune becomes transparent for the most part. You manage devices through System Center 2012 R2 Configuration Manager, which communicates with Windows Intune through the Windows Intune Connector in System Center 2012 R2 Configuration Manger. Windows Intune communicates with your mobile devices. Conceptually, after you set up the System Center 2012 R2 Configuration Manager–Windows Intune integration, Windows Intune appears as a logical extension of System Center 2012 R2 Configuration Manager.

So, let’s look at how to prepare for MDM by examining the prerequisites.

Mobile device management prerequisites

How do you go about creating an enterprise-class MDM solution? You need:

System Center 2012 R2 Configuration Manager. This version of System Center Configuration Manager has all the features to manage Windows, Windows Phone, Apple iOS, and Google Android devices. System Center 2012 R2 Configuration Manager also supports the latest version of Windows Intune, which provides support for the Windows 8.1 operating system, Windows Phone 8.1, iOS 7, Android, and the Samsung KNOX Standard platform.

Windows Intune subscription. Windows Intune subscriptions are based on the number of users you’re managing. You can manage up to five devices for each user, which means that you will need a subscription license for each user who has a mobile device. Users who don’t have a mobile device don’t require a Windows Intune subscription license.

Public Domain Name System (DNS) domain. You must have a public-facing DNS domain that Windows Intune can verify. The Windows Intune verification process includes adding DNS records to this domain.

Public user principle name (UPN) for users. Ensure that your users have a public UPN (such as dan@contoso.com). The domain portion of the UPN should match the public DNS domain that Windows Intune verified.

Create a DNS alias for automatic enrollment. In your public-facing DNS zone, add a DNS alias (CNAME) record for EnterpriseEnrollment that points to manage.microsoft.com. For example, if the user UPN is dan@contoso.com, you would create a DNS record of EnterpriseEnrollment.contoso.com.

Device certificates or keys. Each device platform (such as Windows, Windows RT, Windows Phone, or iOS) may require certificates that are specific to the platform. You will also need sideloading keys for Windows devices.

System Center 2012 R2 Configuration Manager user collection. This user collection contains all of the users you’ll be managing through Windows Intune. You must create this collection prior to configuring your Windows Intune subscription.

In most cases, you’ll have an on-premises Active Directory Domain Services (AD DS) infrastructure, which is where your user accounts are managed. Ideally, you want to provide a single sign-on experience for your users so that they can use the same credentials to access on-premises and Windows Intune services.

To do this, install and configure the Microsoft Azure Active Directory Sync Tool. This tool synchronizes the user and group accounts in your on-premises AD DS forest with Azure Active Directory (which Windows Intune uses). You install the tool on an on-premises server (virtual or physical). The installation process is wizard-driven and simple.

Configure the Azure Active Directory Sync Tool by providing:

Administrative credentials for your Windows Intune subscription.

Administrative credentials for your on-premises AD DS forest.

Verification if you want to synchronize passwords for the accounts.

After you have configured the Azure Active Directory Sync Tool, it automatically starts the synchronization process. Depending on the number of users in your AD DS forest, synchronization can take a few minutes or a couple of hours. The tool continues to run and keeps both directory services in sync with each other, which helps ensure that users need to remember only one set of credentials.

You can also use Active Directory Federation Services (AD FS) with Windows Intune to enable single sign-on. Implementing single sign-on with AD FS means that password hashes do not have to be synchronized between your on-premises AD DS cloud and Azure Active Directory.

Integrated with System Center 2012 R2 Configuration Manager can be administered only in the Configuration Manager console.

Not integrated with System Center 2012 R2 Configuration Manager can be administered only in the Windows Intune Administration portal.

Note You configure a Windows Intune subscription for integration with System Center 2012 R2 Configuration Manager only once. The process cannot be reversed for that subscription.

You configure the Windows Intune subscription by completing the Add Windows Intune Subscription Wizard. In that wizard, you provide the following information:

User collection that contains users who will enroll their mobile devices

Administrative credentials for your Windows Intune subscription

Company name that you want to appear in the Company Portal app

Any company logos that you want displayed in the Company Portal app

System Center 2012 R2 Configuration Manager site code

IT support contact information (which is displayed in the Company Portal app)

The mobile device platforms (Windows, Windows Phone, iOS, or Android) that you want to support

Any platform-specific configuration information

You can also configure some of these settings after you have added the Windows Intune subscription in the Configuration Manager console.

Add the Windows Intune Connector site system role

Adding the Windows Intune Connector site system role in System Center 2012 R2 Configuration Manager is like adding any other System Center 2012 R2 Configuration Manager site system role: you use the Add Site System Roles Wizard in the Configuration Manager console. You don’t have to provide configuration settings; just ensure that you select the Windows Intune Connector site system role on the System Role Selection wizard page. For more information about adding the Windows Intune Connector site system role in System Center 2012 R2 Configuration Manager, see The Windows Intune Connector Site System Role.

Enable Windows Intune extensions

Windows Intune has Configuration Manager console extensions that allow the Configuration Manager console to be aware of new capabilities. You can find these extensions in the Extensions for Windows Intune node in the Administration workspace.

For example, the iOS 7 Security Settings extension adds support for the new iOS 7 security configuration settings; the Windows Phone 8.1 Extension adds support for Windows Phone 8.1 features and management. Depending on the devices you’re managing, you may need to enable some or all of the extensions.

After you enable the Windows Intune extensions for the Configuration Manager console, close the console, and then reopen it to complete the process. When you restart the Configuration Manager console, the new features and configuration options appear.

Now you’ve seen how easy it is to prepare for MDM by using System Center 2012 R2 Configuration Manager and Windows Intune. You can try out these steps by downloading the evaluation copy of System Center 2012 R2 Configuration Manager and signing up for a trial version of Windows Intune. In my next blog post, I’ll walk through the process of enrolling different types of devices.

Recent Posts from EMS Leaders

Howdy folks, One of the coolest collaboration features in Office 365 is Office 365 groups. Your employees can create these groups on the fly and use them to collaborate with their co-workers on projects, sharing team documents, emails and calendars. These groups are easy and fast to create and judging by their usage telemetry, they are VERY popular. However as the number of Office 365 groups increases, it can create a bit of a mess, for instance when a project is completed but the group is still hanging around. To help address that issue, we’ve just turned on the public preview of Office 365 groups expiration! With this new feature you can set an expiration timeframe for any Office 365 group you choose. Once that timeframe is set, owners of any groups set to expire will be asked to renew them if they still need them. Groups that aren’t renewed will be deleted. And using a feature we shipped earlier called “Soft-delete of groups”, any group that was not meant to be deleted can be restored within 30 days by the group owners.... Read more

One of the most impactful changes we have made at Microsoft is to focus our engineering teams solely on usage and the customer experience of our services . In all my years leading product teams, I have never seen something that has impacted the culture of an engineering organization more than this. These changes have been so incredibly positive that I want to share the details of what we did to make this happen. I have two reasons for doing this: 1) I know that many of you are interested in driving cultural change within your own teams and organizations – and, perhaps, the work we’ve done may spark some ideas for you. 2) It may be helpful for our customers and partners to understand how we prioritize our work.... Read more

Organizations are pushing forward in their digital transformations and we continue to see and hear more about what this shift means for IT. The scope of digital transformation goes beyond moving existing work to the cloud and enabling a more mobile workforce. It brings the opportunity to reimagine business from the ground up – from product offerings, to customer engagement strategies, to how to drive innovation and differentiate vs. competition. As a result, today more than ever, CIOs are being asked by their boards and other executives to weigh in on a growing number of business decisions. Almost half (46%) of CIOs in the State of the CIO survey report directly to their CEO, 61% have direct interaction with the board, and 76% are interfacing directly with customers.... Read more

Something I have come to really appreciate as we’ve built Intune and watched its usage scale to millions of devices is the unbelievably broad and diverse types of hardware our customers have to manage. To put this challenge in perspective, check out the chart below. In this chart, you can see the diversity of devices facing an Intune customer. Each box represents a specific device model (iPhone 6, Galaxy 6, etc.), and the size of the box indicates the percentage of that device in the overall population. The customer (who will remain anonymous) shown in this example is managing more than 40k devices with Intune and they have a very open/broad BYOD policy. It’s also interesting to note that they are currently using many of the Enterprise Mobility + Security capabilities in conjunction with Office 365 and the Office mobile apps on their devices.... Read more

Hi everyone, and welcome to an important post for those of you who have been using the document tracking and revocation feature. We received feedback from some of you around privacy and compliance when using this feature and we’ve tried to address that with this release. We are excited to release in preview the new ‘Do not track’ feature which gives organizations flexibility to configure a group of users within their company who should not be tracked because of privacy or compliance reasons. You can now configure ‘Do not track’ for users by adding them to a mail enabled group email address from Azure AD (can be a cloud native or sync group). Once configured, you will no longer be able to track activities of users of this group. Admins can configure the feature for specific groups by running new PowerShell commands added to the admin tool.... Read more